fix(system,windows): normalize SidList in event 4908

Adds whitespace normalization for the SidList field in Windows
Security event 4908 (Special Groups Logon table modified). The
ingest pipeline now uses a gsub processor to normalize separators
before parsing, and the Painless script handles the normalized
format correctly.

Test data originates from
elastic/beats@dd7a1b3

Author: andrewkroh

packages/system/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.7.1"
+  changes:
+    - description: Fixed parsing of SidList field in Windows Security event 4908 (Special Groups Logon table modified) by normalizing whitespace separators.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15797
 - version: "2.7.0"
   changes:
     - description: Add NTP data stream.

packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4908.json

@@ -0,0 +1,46 @@
+{
+  "events": [
+    {
+      "@timestamp": "2020-08-19T06:07:25.0461779Z",
+      "event": {
+        "action": "Audit Policy Change",
+        "code": "4908",
+        "kind": "event",
+        "outcome": "success",
+        "provider": "Microsoft-Windows-Security-Auditing"
+      },
+      "host": {
+        "name": "WIN-BVM4LI1L1Q6.TEST.local"
+      },
+      "log": {
+        "level": "information"
+      },
+      "labels": {
+        "origin": "https://github.com/elastic/beats/commit/dd7a1b3808eb98e77fb49b268cd3764cc17eff5b"
+      },
+      "message": "Special Groups Logon table modified.\n\nSpecial Groups:\t\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}\n\nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.",
+      "winlog": {
+        "channel": "Security",
+        "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+        "event_data": {
+          "SidList": "\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}"
+        },
+        "event_id": "4908",
+        "keywords": [
+          "Audit Success"
+        ],
+        "opcode": "Info",
+        "process": {
+          "pid": 784,
+          "thread": {
+            "id": 808
+          }
+        },
+        "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+        "provider_name": "Microsoft-Windows-Security-Auditing",
+        "record_id": 140274,
+        "task": "Audit Policy Change"
+      }
+    }
+  ]
+}

packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4908.json-expected.json

@@ -0,0 +1,64 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2020-08-19T06:07:25.0461779Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "special-group-table-changed",
+                "category": [
+                    "iam",
+                    "configuration"
+                ],
+                "code": "4908",
+                "kind": "event",
+                "outcome": "success",
+                "provider": "Microsoft-Windows-Security-Auditing",
+                "type": [
+                    "admin",
+                    "change"
+                ]
+            },
+            "host": {
+                "name": "WIN-BVM4LI1L1Q6.TEST.local"
+            },
+            "labels": {
+                "origin": "https://github.com/elastic/beats/commit/dd7a1b3808eb98e77fb49b268cd3764cc17eff5b"
+            },
+            "log": {
+                "level": "information"
+            },
+            "message": "Special Groups Logon table modified.\n\nSpecial Groups:\t\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}\n\nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.",
+            "winlog": {
+                "channel": "Security",
+                "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+                "event_data": {
+                    "SidList": [
+                        "%{S-1-5-32-544}",
+                        "%{S-1-5-32-123-54-65}"
+                    ],
+                    "SidListDesc": [
+                        "Administrators",
+                        "S-1-5-32-123-54-65"
+                    ]
+                },
+                "event_id": "4908",
+                "keywords": [
+                    "Audit Success"
+                ],
+                "opcode": "Info",
+                "process": {
+                    "pid": 784,
+                    "thread": {
+                        "id": 808
+                    }
+                },
+                "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+                "provider_name": "Microsoft-Windows-Security-Auditing",
+                "record_id": "140274",
+                "task": "Audit Policy Change"
+            }
+        }
+    ]
+}

packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml

@@ -4432,7 +4432,12 @@ processors:
         ctx.winlog?.event_data?.OldTargetUserName != null &&
         ctx.winlog.event_data.OldTargetUserName != "-"
 
-
+  - gsub:
+      description: Normalize separators in the SidList value.
+      field: winlog.event_data.SidList
+      pattern: '\s+'
+      replacement: ' '
+      ignore_missing: true
   - script:
       lang: painless
       ignore_failure: false

packages/system/manifest.yml

@@ -1,7 +1,7 @@
 format_version: 3.0.2
 name: system
 title: System
-version: "2.7.0"
+version: "2.7.1"
 description: Collect system logs and metrics from your servers with Elastic Agent.
 type: integration
 categories:

packages/windows/changelog.yml

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "3.1.3"
+  changes:
+    - description: Fixed parsing of SidList field in Windows Security event 4908 (Special Groups Logon table modified) by normalizing whitespace separators.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/15797
 - version: "3.1.2"
   changes:
     - description: Remove unused agent files.

packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4908.json

@@ -0,0 +1,46 @@
+{
+  "events": [
+    {
+      "@timestamp": "2020-08-19T06:07:25.0461779Z",
+      "event": {
+        "action": "Audit Policy Change",
+        "code": "4908",
+        "kind": "event",
+        "outcome": "success",
+        "provider": "Microsoft-Windows-Security-Auditing"
+      },
+      "host": {
+        "name": "WIN-BVM4LI1L1Q6.TEST.local"
+      },
+      "log": {
+        "level": "information"
+      },
+      "labels": {
+        "origin": "https://github.com/elastic/beats/commit/dd7a1b3808eb98e77fb49b268cd3764cc17eff5b"
+      },
+      "message": "Special Groups Logon table modified.\n\nSpecial Groups:\t\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}\n\nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.",
+      "winlog": {
+        "channel": "Security",
+        "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+        "event_data": {
+          "SidList": "\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}"
+        },
+        "event_id": "4908",
+        "keywords": [
+          "Audit Success"
+        ],
+        "opcode": "Info",
+        "process": {
+          "pid": 784,
+          "thread": {
+            "id": 808
+          }
+        },
+        "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+        "provider_name": "Microsoft-Windows-Security-Auditing",
+        "record_id": 140274,
+        "task": "Audit Policy Change"
+      }
+    }
+  ]
+}

packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4908.json-expected.json

@@ -0,0 +1,64 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2020-08-19T06:07:25.0461779Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "special-group-table-changed",
+                "category": [
+                    "iam",
+                    "configuration"
+                ],
+                "code": "4908",
+                "kind": "event",
+                "outcome": "success",
+                "provider": "Microsoft-Windows-Security-Auditing",
+                "type": [
+                    "admin",
+                    "change"
+                ]
+            },
+            "host": {
+                "name": "WIN-BVM4LI1L1Q6.TEST.local"
+            },
+            "labels": {
+                "origin": "https://github.com/elastic/beats/commit/dd7a1b3808eb98e77fb49b268cd3764cc17eff5b"
+            },
+            "log": {
+                "level": "information"
+            },
+            "message": "Special Groups Logon table modified.\n\nSpecial Groups:\t\n\t\t%{S-1-5-32-544}\n\t\t%{S-1-5-32-123-54-65}\n\nThis event is generated when the list of special groups is updated in the registry or through security policy. The updated list of special groups is indicated in the event.",
+            "winlog": {
+                "channel": "Security",
+                "computer_name": "WIN-BVM4LI1L1Q6.TEST.local",
+                "event_data": {
+                    "SidList": [
+                        "%{S-1-5-32-544}",
+                        "%{S-1-5-32-123-54-65}"
+                    ],
+                    "SidListDesc": [
+                        "Administrators",
+                        "S-1-5-32-123-54-65"
+                    ]
+                },
+                "event_id": "4908",
+                "keywords": [
+                    "Audit Success"
+                ],
+                "opcode": "Info",
+                "process": {
+                    "pid": 784,
+                    "thread": {
+                        "id": 808
+                    }
+                },
+                "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}",
+                "provider_name": "Microsoft-Windows-Security-Auditing",
+                "record_id": "140274",
+                "task": "Audit Policy Change"
+            }
+        }
+    ]
+}

packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security_standard.yml

@@ -3931,7 +3931,12 @@ processors:
         ctx.winlog?.event_data?.OldTargetUserName != null &&
         ctx.winlog.event_data.OldTargetUserName != "-"
 
-
+  - gsub:
+      description: Normalize separators in the SidList value.
+      field: winlog.event_data.SidList
+      pattern: '\s+'
+      replacement: ' '
+      ignore_missing: true
   - script:
       lang: painless
       ignore_failure: false
@@ -4260,7 +4265,8 @@ processors:
 
         void splitSidList(def sids, def params, def ctx) {
           ArrayList al = new ArrayList();
-          def sidList = sids.splitOnToken(" ");
+          def sidsArray = sids.splitOnToken(" ");
+          ArrayList sidList = new ArrayList(Arrays.asList(sidsArray));
           ctx.winlog.event_data.put("SidList", sidList);
           for (def i = 0; i < sidList.length; i++ ) {
             al.add(translateSID(sidList[i].replace("%", "").replace("{", "").replace("}", "").replace(" ",""), params));

packages/windows/manifest.yml

@@ -1,6 +1,6 @@
 name: windows
 title: Windows
-version: 3.1.2
+version: 3.1.3
 description: Collect logs and metrics from Windows OS and services with Elastic Agent.
 type: integration
 categories: